undefined | Better HN

0 pointsKronisLV1y ago0 comments

> Do that globally.

We already do a simpler version of that with TLS and HTTPS, there are globally trusted root certs that ship with most OSes and browsers. It's just that we haven't extended the same approach to client certs and identity verification, instead having a bunch of walled gardens and governments running legacy methods of figuring out who someone is, as opposed to various eID mechanisms.

If I trust news.ycombinator.com because I trust ISRG Root X1, I might similarly trust John Doe's iPhone because I trust the government of France's CA, as a hypothetical, as long as the certification chain is valid there.

It's a problem that's technically solvable (say, in 20-50 years), but won't get done because good luck getting a bunch of governments to collaborate on that across the world. It's actually a surprise that we have TLS in the first place.

0 comments

bigfatkitten1y ago

> If I trust news.ycombinator.com because I trust ISRG Root X1, I might similarly trust John Doe's iPhone because I trust the government of France's CA, as a hypothetical, as long as the certification chain is valid there.

There are a whole ton of privacy problems with this. I am happy to demonstrate anonymously that I am not a bot, but a random blogger does not need to know that I am John Doe, a citizen of France with national ID number 12345678.

rad_gruchalski1y ago

We cannot get them to agree on cookie banners and you’re talking about something much more complicated.

Hey, by the way, would you trust some Chinese or Russian root certificate?

The question is irrelevant, frankly. Consider this: you’re living in Germany today. You trust the German government. They handle all your logins using that eID. What if in February AfD comes to power? Do you still trust the German government? Governments are formed by people. Different people have different interests.

KronisLVOP1y ago

> We cannot get them to agree on cookie banners and you’re talking about something much more complicated.

Another good example of something that’s technically feasible and not that complex, but was made infeasible due to either ignorance or malice, with all of the dark UI patterns and scummy behaviour.

> Hey, by the way, would you trust some Chinese or Russian root certificate?

Most people already do: https://chromium.googlesource.com/chromium/src/+/main/net/da...

For example:

  CN=CFCA EV ROOT,O=China Financial Certification Authority,C=CN
  CN=GDCA TrustAUTH R5 ROOT,O=GUANG DONG CERTIFICATE AUTHORITY CO.,LTD.,C=CN
  CN=UCA Global G2 Root,O=UniTrust,C=CN
  CN=UCA Extended Validation Root,O=UniTrust,C=CN
  CN=vTrus ECC Root CA,O=iTrusChina Co.,Ltd.,C=CN
  CN=vTrus Root CA,O=iTrusChina Co.,Ltd.,C=CN

If there’d be an issue of not wanting to support a certain country, then removing such a group of CAs from a store would be trivial for a particular service, same as with the above.

Plus, the opposite is also viable, if for example the Russian govt. wanted to allow anyone to verify whether particular requests come from their citizens, they might also run their own CA akin to https://www.bleepingcomputer.com/news/security/russia-create... except that the attack vector would change from MitM to fake identities being issued by them as needed (but since the server is the one doing the verification, it might as well drop the CA when desired).

> What if in February AfD comes to power?

Revoking the eID and anything dependent on it would be akin to your passport being taken away.

Essentially the modern day digital equivalent of getting your Google account banned by some bot, if you use that account for auth in a bunch of places.

Fundamentally, that’s no different from the reality that we already face - my regular eID could also be taken away if my own government felt like it, same as with my bank account and other assets.

Client certs themselves are nothing new, same for PKI. It’s a cool technology that could but presently cannot solve the problem of client identity globally, because we just can’t have nice things and order.

rad_gruchalski1y ago

> Revoking the eID and anything dependent on it would be akin to your passport being taken away.

Is it? If my eID is used for logging in to my bank and said eID is revoked, I can no longer log in to my bank account. That’s completely different than a locked up passport.

> Essentially the modern day digital equivalent of getting your Google account banned by some bot, if you use that account for auth in a bunch of places.

Use a custom domain, don’t make your kingdom dependent on the gmail.com address.

I don’t know, for me the perfect amount of government oversight is “as little as possible”. There’s zero need for the government to mediate between me and my bank, or some random service provider on the internet.

What you’re describing sounds like a fun technical challenge assuming a perfect world. For example: who decides which countries’ certificates should be revoked? Who decides who is the rogue one? Even that is stretching it too far. Can I simply download a browser without some selected certificates? If the technology is so great, why isn’t it widely adopted today

Those are all rhetorical questions. You don’t have explain PKI to me.

1 more reply

j / k navigate · click thread line to collapse

0 comments

bigfatkitten1y ago

rad_gruchalski1y ago

We cannot get them to agree on cookie banners and you’re talking about something much more complicated.

Hey, by the way, would you trust some Chinese or Russian root certificate?

KronisLVOP1y ago

> We cannot get them to agree on cookie banners and you’re talking about something much more complicated.

Another good example of something that’s technically feasible and not that complex, but was made infeasible due to either ignorance or malice, with all of the dark UI patterns and scummy behaviour.

> Hey, by the way, would you trust some Chinese or Russian root certificate?

Most people already do: https://chromium.googlesource.com/chromium/src/+/main/net/da...

For example:

  CN=CFCA EV ROOT,O=China Financial Certification Authority,C=CN
  CN=GDCA TrustAUTH R5 ROOT,O=GUANG DONG CERTIFICATE AUTHORITY CO.,LTD.,C=CN
  CN=UCA Global G2 Root,O=UniTrust,C=CN
  CN=UCA Extended Validation Root,O=UniTrust,C=CN
  CN=vTrus ECC Root CA,O=iTrusChina Co.,Ltd.,C=CN
  CN=vTrus Root CA,O=iTrusChina Co.,Ltd.,C=CN

If there’d be an issue of not wanting to support a certain country, then removing such a group of CAs from a store would be trivial for a particular service, same as with the above.

> What if in February AfD comes to power?

Revoking the eID and anything dependent on it would be akin to your passport being taken away.

Essentially the modern day digital equivalent of getting your Google account banned by some bot, if you use that account for auth in a bunch of places.

Fundamentally, that’s no different from the reality that we already face - my regular eID could also be taken away if my own government felt like it, same as with my bank account and other assets.

rad_gruchalski1y ago

> Revoking the eID and anything dependent on it would be akin to your passport being taken away.

Is it? If my eID is used for logging in to my bank and said eID is revoked, I can no longer log in to my bank account. That’s completely different than a locked up passport.

> Essentially the modern day digital equivalent of getting your Google account banned by some bot, if you use that account for auth in a bunch of places.

Use a custom domain, don’t make your kingdom dependent on the gmail.com address.

Those are all rhetorical questions. You don’t have explain PKI to me.

1 more reply

j / k navigate · click thread line to collapse